[Qa-debsources] Vulnerabilities in your site:

John Allen johnallen.official578 at gmail.com
Fri Aug 23 09:00:00 BST 2024 

Hi,

How are you?

I haven't received any update from you yet.

Could you please confirm with me about the reported vulnerability and
its bounty reward?

Looking forward to hearing from you soon.

Thanks and Regards,

On Mon, Aug 12, 2024 at 1:00 PM John Allen
<johnallen.official578 at gmail.com> wrote:
>
> Greetings.
>
> Hope everything is going well.
>
> I am writing to follow up on the reported issue which we discussed a few days ago.
>
> And I'm eager to know your verdict on it. If the issue is verified, kindly let me know what bounty reward I should expect for responsible disclosure.
>
> Looking forward to hearing back from you soon.
>
> Thanks & Regards.
>
> On Mon, Jul 15, 2024 at 1:00 PM John Allen <johnallen.official578 at gmail.com> wrote:
>>
>> Hello Team,
>>
>>
>> I am a security researcher and I found some Vulnerabilities in your site one of them is as following:
>>
>>
>> DESCRIPTION:
>>
>> I just sent a forged email to my email address that appears to originate from  webmaster at debian.org   I was able to do this because of the following DMARC record:
>> DMARC record lookup and validation for: debian.org
>>
>>
>> "No DMARC Record found"
>> Or/And
>> "No DMARC Reject Policy"
>>
>>
>> FIX:
>> 1) Publish DMARC Record. (If not already published)
>> 2) Enable DMARC Quarantine/Reject policy
>> 3) Your DMARC record should look like
>> "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info at domain.com"
>>
>>
>> This can be done using any PHP mailer tool like this,
>> <?php
>> $to = "VICTIM at example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From: webmaster at debian.org>> mail($to,$subject,$txt,$headers);
>>
>> ?>
>>
>>
>> You can check your DMARC record form here:
>> https://clickjacker.io/test?url=https://www.luzernerzeitung.ch/=toolpage
>>
>>
>>
>>  R:eference: https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkimdmarc_records
>>
>>
>> Let me know if you need me to send another forged email, or if you have any other questions.
>>
>> Note: Eagerly awaiting your approval for the bounty reward tied to my recent security contribution. Let's continue the journey together and will be reporting other vulnerabilities accordingly.
>>
>> Stay Safe & Healthy.
>> John Allen
>>
>> Snapshots:
>>
>>

More information about the Qa-debsources mailing list